Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question about the validateState and checks for expiration #825

Closed
gjberghuis opened this issue Jul 15, 2020 · 4 comments
Closed

Question about the validateState and checks for expiration #825

gjberghuis opened this issue Jul 15, 2020 · 4 comments
Labels
breaking_changes enhancement

Comments

@gjberghuis
Copy link

gjberghuis commented Jul 15, 2020
edited
Loading

We like to use the lifetime of our accessToken as leading to determine if we need to refresh them or not.

I have two questions:

  1. The last check in the validateState of state-validation.service.ts checks if the id token is not expired:
 if (!this.tokenValidationService.validateIdTokenExpNotExpired(toReturn.decodedIdToken)) {            
    this.loggerService.logWarning('authorizedCallback id token expired');
    toReturn.state = ValidationResult.TokenExpired;
    this.handleUnsuccessfulValidation();
    return toReturn;
 }

We would like to be able to skip this check. And in addition to that we would like to be able to check of the accessToken is not expired. This also happens in the callback.services.ts:

const accessTokenHasExpired = this.authStateService.hasAccessTokenExpiredIfExpiryExists();

  1. In the callback.services.ts we also want to decide if we want to check the accessToken lifetime, idToken lifetime or both of them:
     const idTokenHasExpired = this.authStateService.hasIdTokenExpired();
     const accessTokenHasExpired = this.authStateService.hasAccessTokenExpiredIfExpiryExists();

     if (!idTokenHasExpired && !accessTokenHasExpired) {
        return of(null);
     }

I hope you can help us with this or maybe we are lacking some knowledge about the importance of the identityToken lifetime, in that case, please help us with some explanation.
@damienbod
Copy link
Owner

I consider disabling the id_token lifetime check per configuration. I have had this request quite often.

Thanks for reporting Damien

@andreaslarssen
Copy link
Contributor

andreaslarssen commented May 18, 2021
edited
Loading

Also experiencing this. From what I can see, there's nothing in the RFC that indicates that the TTL of the id_token should be an indicator of how long the session of an external app should last. Therefore I consider this a bug, and that it shouldn't be solved by being able to config "away" the relevance of the id_token, as it's not really relevant in the first place. If you, for some reason, need to at all times have a valid id token, that should be an opt-in.

@andreaslarssen andreaslarssen mentioned this issue May 18, 2021
Closed
@damienbod
Copy link
Owner

we add support for this in V12

@damienbod damienbod mentioned this issue Jun 11, 2021
Merged
@damienbod
Copy link
Owner

added in V12, default is with the id_token check, you can config this to stop the check.

enableIdTokenExpiredValidationInRenew: false

Thanks for reporting

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
breaking_changes enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@andreaslarssen @damienbod @gjberghuis